Change in osmo-ggsn[master]: ggsn: Fix heap-use-after-free during Recovery without associated PDP

pespin gerrit-no-reply at lists.osmocom.org
Thu Jun 10 17:42:31 UTC 2021


pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-ggsn/+/24642 )


Change subject: ggsn: Fix heap-use-after-free during Recovery without associated PDP
......................................................................

ggsn: Fix heap-use-after-free during Recovery without associated PDP

Related: OS#4641
Change-Id: Ib4dca2e30e723a196084b0fa0040fbceca835359
---
M ggsn/sgsn.c
1 file changed, 10 insertions(+), 2 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-ggsn refs/changes/42/24642/1

diff --git a/ggsn/sgsn.c b/ggsn/sgsn.c
index 8360439..15548ef 100644
--- a/ggsn/sgsn.c
+++ b/ggsn/sgsn.c
@@ -116,6 +116,7 @@
 {
 	unsigned int num = 0;
 	char buf[INET_ADDRSTRLEN];
+	unsigned int count = llist_count(&sgsn->pdp_list);
 
 	inet_ntop(AF_INET, &sgsn->addr, buf, sizeof(buf));
 
@@ -125,10 +126,17 @@
 			continue;
 		ggsn_close_one_pdp(pdp->lib);
 		num++;
+		if (num == count) {
+			/* Note: if except is NULL, all pdp contexts are freed and sgsn
+			 * is most probably already freed at this point.
+			 * As a result, last access to sgsn->pdp_list before exiting
+			 * loop would access already freed memory. Avoid it by exiting
+			 * the loop without the last check, and make sure sgsn is not
+			 * accessed after this loop. */
+			 break;
+		}
 	}
 
-	/* Note: if except is NULL, all pdp contexts are freed and sgsn is
-	   already freed at this point */
 	LOGP(DGGSN, LOGL_INFO, "SGSN(%s) Dropped %u PDP contexts\n", buf, num);
 
 	return num;

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-ggsn/+/24642
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-ggsn
Gerrit-Branch: master
Gerrit-Change-Id: Ib4dca2e30e723a196084b0fa0040fbceca835359
Gerrit-Change-Number: 24642
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210610/1967bf4a/attachment.htm>


More information about the gerrit-log mailing list